alexander.schaeferdiek/knowledge-base
1
0
Fork 0
Code Activity

Manual backup: 2023-04-10 10:30:46

Browse source
This commit is contained in:
Alexander Schäferdiek 2023-04-10 10:30:46 +02:00
parent 112a21aab3
commit 5b7bce859c
12 changed files with 118 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
.obsidian/workspace.json vendored
View file

@ -4,11 +4,11 @@
"type": "split",
"children": [
{
"id": "8ec850240353d92b",
"id": "48eb66e7fecab528",
"type": "tabs",
"children": [
{
"id": "445b425929906bfc",
"id": "80a5e56ba431d89b",
"type": "leaf",
"state": {
"type": "empty",
@ -120,33 +120,34 @@
"templater-obsidian:Templater": false
}
},
"active": "445b425929906bfc",
"active": "80a5e56ba431d89b",
"lastOpenFiles": [
"KB/Linux/Server/Bootstrap.md",
"KB/Linux/Server/DNS.md",
"KB/Linux/Server/Docker Volume Migration.md",
"KB/Linux/Desktop/Tweaks.md",
"KB/Linux/Desktop/Fonts.md",
"KB/Linux/Desktop/Archinstall.md",
"_Templates/Note Template.md",
"README.md",
"KB/Linux/Server/SSH Guard.md",
"KB/Linux/Desktop/Firewall.md",
"KB/Linux/Server/Hetzner/Storagebox.md",
"KB/Linux/Server/Hetzner/Upgrades.md",
"KB/Linux/Pacman.md",
"KB/Linux/Kernel.md",
"KB/Linux/GNOME.md",
"KB/Linux/DNS.md",
"KB/Linux/Disk Speed.md",
"KB/Linux/AMD.md",
"KB/Android/ADB Backup.md",
"KB/Linux/Desktop/Audio/aptx and pulseaudio.md",
"KB/Linux/Desktop/Audio/EQ.md",
"KB/Linux/Desktop/KDE/KDE.md",
"KB/Linux/Desktop/Audio/aptx and pulseaudio.md",
"KB/Linux/Desktop/KDE/KDE Tiling.md",
"KB/Linux/Desktop/KDE/KDE.md",
"KB/Linux/Desktop/Archinstall.md",
"KB/Linux/Desktop/Fonts.md",
"KB/Linux/Desktop/GPG - PGP.md",
"KB/Linux/Desktop/i3.md",
"KB/Linux/Desktop/Steam.md",
"KB/Linux/Desktop/Surface.md",
"KB/Linux/Desktop/sway.md",
"KB/Linux/Desktop/systemd.md",
"KB/Linux/Desktop/Theming Qt and Gtk.md",
"KB/Linux/Server/Hetzner/Storagebox.md",
"KB/Linux/Server/Hetzner/Upgrades.md",
"KB/Linux/Server/Bootstrap.md",
"KB/Linux/Server/DNS.md",
"KB/Linux/Server/Domains.md",
"KB/Linux/Server/PostgreSQL.md",
"KB/Linux/Server/Security hardening.md",
"KB/Linux/Server/SSH Guard, iptables.md"
"KB/Linux/Desktop/Firewall"
]
}

4
KB/Linux/AMD.md
View file

@ -3,9 +3,7 @@ creation date: 2022-08-15
tags: [note,amd,cpu,linux,cppc]
---
# AMD
amd-pstate allows lower idle CPU frequencies. This is not default, let's enable it.
`amd-pstate` allows lower idle CPU frequencies. This is not default, let's enable it.
1. Set any CPPC setting to `enabled` in BIOS (if available, try without it might also work)
2. Add `amd_pstate.shared_mem=1` as Kernel parameter

10
KB/Linux/DNS.md
View file

@ -3,12 +3,10 @@ creation date: 2022-01-08
tags: [note,dns,linux,archlinux,network]
---
# DNS
0. Disable `systemd-resolved` if you want to use plain `resolv.conf`.
1. Either use router's DNS: Restart machine to have and updates `resolv.conf` file.
2. Use dedicated DNS, e.g. see [https://www.kuketz-blog.de/empfehlungsecke/#dns](https://www.kuketz-blog.de/empfehlungsecke/#dns) or your own.
3. Edit `resolv.conf` by making it immutable afterwards: `sudo chattr -i /etc/resolv.conf; sudo nano /etc/resolv.conf; sudo chattr +i /etc/resolv.conf`
1. Disable `systemd-resolved` if you want to use plain `resolv.conf`.
2. Either use router's DNS: Restart machine to have and updates `resolv.conf` file.
3. Use dedicated DNS, e.g. see [https://www.kuketz-blog.de/empfehlungsecke/#dns](https://www.kuketz-blog.de/empfehlungsecke/#dns) or your own.
4. Edit `resolv.conf` by making it immutable afterwards: `sudo chattr -i /etc/resolv.conf; sudo nano /etc/resolv.conf; sudo chattr +i /etc/resolv.conf`
```shell
options timeout:1

76
KB/Linux/Desktop/Firewall.md Normal file
View file

@ -0,0 +1,76 @@
---
creation date: 2023-04-10
tags: [note,firewall,iptables,linux]
---
Change `icmp` to `icmp -j REJECT` to not allow `ping` command.
## IPv4
Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end.
```shell
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
```
Enable `iptables.service`. Verify result with `sudo iptables -S`.
Add `4713` (pulseaudio) rule if necessary.
```shell
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT
```
## IPv6
Put into `/etc/iptables/ip6tables.rules`. Pay attention to blank line at the end.
```shell
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
-A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
```
Enable `ip6tables.service`. Verify result with `sudo ip6tables -S`.
Add `4713` (pulseaudio) rule if necessary.
```shell
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT
```

2
KB/Linux/GNOME.md
View file

@ -3,8 +3,6 @@ creation date: 2022-01-08
tags: [note,linux,archlinux,gnome,wm]
---
# GNOME
For theming, please have a look at [[KB/Linux/Desktop/Theming Qt and Gtk]]. _Adwaita_ is the default and has some advantages when using GNOME (consistent look).
## Extensions

2
KB/Linux/Kernel.md
View file

@ -3,8 +3,6 @@ creation date: 2022-06-06
tags: [kernel]
---
# Kernel
## Keep kernel around during an update
`yay -S kernel-modules-hook`

8
KB/Linux/Pacman.md
View file

@ -3,8 +3,6 @@ creation date: 2022-07-14
tags: [note,pacman,package,packages,hooks,hook]
---
# Pacman
The following hooks are useful
```
@ -42,4 +40,8 @@ In addition, configure `reflector`(install first) to periodically update mirrorl
# Sort the mirrors by synchronization time (--sort).
--sort score
```
```
## Clean up cache
`sudo systemctl enable --now paccache.timer`

6
KB/Linux/Server/Bootstrap.md
View file

@ -67,9 +67,9 @@ tags: [note,linux,archlinux,install]
16. Make reflector and pkgfile work: `systemctl enable --now reflector.timer pkgfile-update.timer`
17. Follow `Setup Security Hardening.md`
17. Follow [[KB/Linux/Server/Security hardening]]
18. Follow `Setup SSH (guard) and iptables.md`
18. Follow [[KB/Linux/Server/SSH Guard]]
19. Configure root user services for monitoring with `.scriptConfigFile.conf` files.
@ -82,4 +82,4 @@ tags: [note,linux,archlinux,install]
21. **Configure services, e.g. docker, nginx.**
22. Verify everything is working, then reboot. Verify again.
22. Verify everything is working, then reboot. Verify again.

20
KB/Linux/Server/Hetzner/Upgrades.md
View file

@ -1,20 +0,0 @@
---
creation date: 2022-01-08
tags: [note,linux,archlinux]
---
This assumes, that you have `dotfiles-system` installed.
Upgrading the VM includes the following sub tasks:
* host
* host web applications
* docker deployments
Let's dive into details about each of them.
## Updating the host
Login as `admin` and do `pkg-upgrade-full`.
## Updating docker deployments
Login as `root` and do `docker_compose_update` which will update all docker deployments. Ensure to clean up unused images, networks and volumes afterwards.

12
KB/Linux/Server/SSH Guard, iptables.md → KB/Linux/Server/SSH Guard.md
View file

@ -1,8 +1,10 @@
---
creation date: 2022-01-08
tags: [note,archlinux,linux,security,ssh,iptables]
tags: [note,archlinux,linux,security,ssh,iptables,firewall]
---
`sshguard` uses netfilter of kernel (iptables).
## SSH
Disable weak ciphers by adding the following to the `sshd_config` file:
@ -15,13 +17,15 @@ HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512
Be sure to disable password auth (`PasswordAuthentication no`) and set `PermitRootLogin yes`
## iptables
## Setting up iptables
Install `sshguard`. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules.
Ports `22` and `2222` will be monitored in this example.
Ports `22` and `2222` will be monitored in this example. You can add any ssh daemon port, e.g. `10022` in addition, separated with `,`.
Also see [here](https://wiki.archlinux.org/index.php/Sshguard#iptables).
If you have a more complex setup and use `docker`, you probably want a `FILTERS` chain which is loading _before_ `DOCKER-USER`, and apply rules dynamically with `iptables -n` (no flush).
[sshguard on wiki.archlinux.org](https://wiki.archlinux.org/index.php/Sshguard#iptables).
```shell
# IPv4

7
KB/Linux/Wireguard.md
View file

@ -3,8 +3,6 @@ creation date: 2022-09-05
tags: [note,linux,wireguard,wg]
---
# Wireguard
`wireguard-tools` is required.
## Forwarding
@ -22,12 +20,9 @@ In addition, the `AllowedIPs` in the client's `peer` section should be `0.0.0.0/
When using Network Manager, WireGuard profiles can be imported
```shell
```
nmcli connection import type wireguard file <path to conf>
```
Ensure you've unchecked _Automatically connect_ afterwards in `nm-connection-editor`.
## Android
On Android devices, private DNS enabled might block resolving. Disable it for WireGuard

2
KB/Windows/Bootstrap.md
View file

@ -3,8 +3,6 @@ creation date: 2022-01-08
tags: [note,windows,install]
---
# Bootstrap
Fight Windows!
## Things to do regulary: